diff options
Diffstat (limited to 'seccomp/arm/9p_device.policy')
-rw-r--r-- | seccomp/arm/9p_device.policy | 32 |
1 files changed, 2 insertions, 30 deletions
diff --git a/seccomp/arm/9p_device.policy b/seccomp/arm/9p_device.policy index c1c3aea..b3167b9 100644 --- a/seccomp/arm/9p_device.policy +++ b/seccomp/arm/9p_device.policy @@ -2,56 +2,28 @@ # Use of this source code is governed by a BSD-style license that can be # found in the LICENSE file. -write: 1 -recv: 1 -read: 1 -epoll_wait: 1 +@include /usr/share/policy/crosvm/common_device.policy + pread64: 1 pwrite64: 1 lstat64: 1 stat64: 1 -close: 1 -prctl: arg0 == PR_SET_NAME open: 1 openat: 1 fstat64: 1 -# ioctl(fd, FIOCLEX, 0) is equivalent to fcntl(fd, F_SETFD, FD_CLOEXEC). ioctl: arg1 == FIOCLEX getdents64: 1 fdatasync: 1 fsync: 1 -# Disallow mmap with PROT_EXEC set. The syntax here doesn't allow bit -# negation, thus the manually negated mask constant. -mmap2: arg2 in 0xfffffffb -mprotect: arg2 in 0xfffffffb -sigaltstack: 1 -munmap: 1 mkdir: 1 rmdir: 1 -epoll_ctl: 1 rename: 1 writev: 1 link: 1 unlink: 1 -restart_syscall: 1 -exit: 1 -rt_sigreturn: 1 -epoll_create1: 1 -sched_getaffinity: 1 -dup: 1 -# Disallow clone's other than new threads. -clone: arg0 & 0x00010000 -set_robust_list: 1 -exit_group: 1 socket: arg0 == AF_UNIX -futex: 1 -eventfd2: 1 -mremap: 1 -# Allow MADV_DONTDUMP and MADV_DONTNEED only. -madvise: arg2 == 0x00000010 || arg2 == 0x00000004 utimensat: 1 ftruncate64: 1 fchown: arg1 == 0xffffffff && arg2 == 0xffffffff statfs64: 1 fstatat64: 1 -getpid: 1 |